1. Home
  2. ISC2
  3. ISSAP CISSP-ISSAP Exam Syllabus

ISC2 ISSAP Exam Topics

ISC2 ISSAP Exam Overview :

Exam Name: Information Systems Security Architecture Professional
Exam Code: ISSAP
Certifications: ISC2 CISSP Certification
Actual Exam Duration: 150 minutes
Expected no. of Questions in Actual Exam: 125
See Expected Questions: ISC2 ISSAP Expected Questions in Actual Exam

ISC2 ISSAP Exam Topics :

Section Weight Objectives
Domain 1.Architect for Governance, Compliance and Risk Management 17% Determining legal, regulatory, organizational, and industry requirements by identifying applicable information security standards and guidelines, recognizing third-party and contractual obligations such as those in supply chains and partnerships, and understanding sensitive data standards and privacy regulations. Additionally, it includes designing systems for auditability to meet regulatory and legislative requirements, and coordinating with external entities like law enforcement and independent assessors. In managing risk, the focus is on identifying and classifying risks, conducting risk assessments, recommending appropriate risk treatment strategies such as mitigation or transfer, and monitoring and reporting on risks effectively.
Domain 2: Security Architecture Modeling 15% Determine the security architecture approach, which involves identifying various types and scopes such as enterprise, network, Service-Oriented Architecture (SOA), cloud, Internet of Things (IoT), and Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA). This also includes understanding frameworks like Sherwood Applied Business Security Architecture (SABSA) and Service-Oriented Modeling Framework (SOMF), as well as reference architectures and blueprints. Moreover, it entails configuring security settings such as baselines, benchmarks, and profiles, along with network configurations covering physical, logical, high availability, segmentation, and zones. The subsequent step is to verify and validate the design, which involves conducting Functional Acceptance Testing (FAT) and regression testing, validating results of threat modeling including threat vectors, impact, and probability, identifying any gaps or alternative solutions, and performing Independent Verification and Validation (IV&V) through tabletop exercises, modeling and simulation, and manual review of functions.
Domain 3: Infrastructure Security Architecture 21% Developing infrastructure security requirements involves creating specifications for securing the foundational components of a system. Designing defense-in-depth architecture entails structuring multiple layers of security measures to protect against various threats. Securing shared services, such as wireless, email, Voice over Internet Protocol (VoIP), Unified Communications (UC), Domain Name System (DNS), and Network Time Protocol (NTP), involves implementing protective measures for these commonly used services. Integrating technical security controls involves combining different security mechanisms to enhance overall protection. Designing and integrating infrastructure monitoring involves creating systems to observe and manage the security of the infrastructure components effectively.
Identity and Access Management (IAM) Architecture 16% In designing identity management and lifecycle, access control management and lifecycle, and identity and access solutions, several key elements need to be considered. This includes establishing and verifying identity, assigning identifiers to users, services, processes, and devices, and managing identity provisioning and de-provisioning. Additionally, trust relationships, authentication methods, and authentication protocols and technologies need to be defined. Access control concepts and principles, access control configurations, and authorization processes and workflows are crucial aspects to address. Furthermore, roles, rights, and responsibilities related to system, application, and data access control, as well as management of privileged accounts and authorization methods such as Single Sign-On (SSO) and role-based access, must be carefully managed and integrated into the design.
Domain 5: Architect for Application Security 13% Integrating the Software Development Life Cycle (SDLC) with application security architecture involves various considerations to ensure the robustness of software systems. This includes assessing code review methodologies, determining the need for application protection such as Web Application Firewall (WAF) and secure APIs, and specifying encryption requirements for data at rest, in transit, and use. Additionally, it entails evaluating the necessity of secure communications between applications and databases or other endpoints and utilizing secure code repositories. Determining application security capability requirements and strategy involves reviewing the security of various types of applications, determining cryptographic solutions, and evaluating the applicability of security controls for system components like mobile and web client applications, as well as proxy, application, and database services, across different environments including open source and Cloud Service Providers (CSPs).
Domain 6: Security Operations Architecture 18% In gathering security operations requirements, various factors such as legal, compliance, organizational, and business needs need to be considered to ensure effective security measures. When designing information security monitoring, which may involve Security Information and Event Management (SIEM), insider threat detection, threat intelligence, user behavior analytics, and Incident Response (IR) procedures, attention is given to detection and analysis processes. Additionally, proactive and automated security monitoring and remediation methods such as vulnerability management, compliance audits, and penetration testing are implemented to enhance security measures.
Official Information https://www.isc2.org/Certifications/CISSP-Concentrations#tab-2-1

Updates in the ISC2 ISSAP Exam Topics:

ISC2 ISSAP exam questions and practice test are the best ways to get fully prepared. Study4exam's trusted preparation material consists of both practice questions and practice test. To pass the actual  Certified Information Systems Security Professional ISSAP  exam on the first attempt, you need to put in hard work on these questions as they cover all updated  ISC2 ISSAP exam topics included in the official syllabus. Besides studying actual questions, you should take the  ISC2 ISSAP practice test for self-assessment and actual exam simulation. Revise actual exam questions and remove your mistakes with the Information Systems Security Architecture Professional ISSAP exam practice test. Online and Windows-based formats of the ISSAP exam practice test are available for self-assessment.